Quishing
Also known as: QR code phishing, malicious QR sticker
Phishing through malicious QR codes. Scammers print stickers over real QR codes in parking lots, restaurants, or on bills so scanning leads to a fake payment page.
Quishing — QR code phishing — exploits the fact that QR codes are unreadable to humans. The scammer creates a QR sticker that looks identical to a legitimate one (parking meter, restaurant menu, electricity bill, charging station) and pastes it over the real code. When you scan, the link leads to a convincing fake payment portal that captures your card details or UPI credentials.
Quishing rose sharply in 2024-2025 as contactless payment via QR became universal in India through UPI and in the West through restaurant QR menus. Public infrastructure — parking, EV charging, transit kiosks — is the highest-risk zone because the scam targets anyone who walks by.
The defense: look at the destination URL before paying. Legitimate UPI payment links show the merchant name and amount in the app. If the URL goes to a random domain or asks you to log in again, close it.